This chapter is from the book

After completing this chapter, you will be able to perform the following
tasks:

Identify what a VLAN is and how it operates.

Configure a VLAN to improve network performance.

Identify what role the switch plays in the creation of VLANs.

Identify how network devices communicate about VLANs.

Describe the need and operation of the VLAN Trunking Protocol.

Configure the Catalyst Switch for VLAN operation.

The design and function of a bridged/switched network is to provide enhanced
network services by segmenting the network into multiple collision domains. The
fact remains, however, that without any other mechanism, the bridged/switched
network is still a single broadcast domain. A broadcast domain is a group of
devices that can receive one another's broadcast frames. For example, if
device A sends a broadcast frame and that frame is received by devices B and C,
all three devices are said to be in a common broadcast domain. Because broadcast
frames are flooded out all ports on a bridge/switch (by default), the devices
connected to the bridge/switch are in a common broadcast domain.

Controlling broadcast propagation throughout the network is important to
reduce the amount of overhead associated with these frames. Routers, which
operate at Layer 3 of the OSI model, provide broadcast domain segmentation for
each interface. Switches can also provide broadcast domain segmentation using
virtual LANs (VLANs). A VLAN is a group of switch ports, within a single or
multiple switches, that is defined by the switch hardware and/or software as a
single broadcast domain. A VLAN's goal is to group devices connected to a
switch into logical broadcast domains to control the effect that broadcasts have
on other connected devices. A VLAN can be characterized as a logical
network.

The benefits of VLANs include the following:

Security

Segmentation

Flexibility

VLANs enable you to group users into a common broadcast domain regardless of
their physical location in the internetwork. Creating VLANs improves performance
and security in the switched network by controlling broadcast propagation and
requiring that communications between these broadcast be carried out by a Layer
3 device that is capable of implementing security features such as access
control lists (ACLs).

In a broadcast environment, a broadcast sent out by a host on a single segment
would propagate to all segments. In normal network operation, hosts frequently
generate broadcast/multicast traffic. If hundreds or thousands of hosts each
sent this type of traffic, it would saturate the bandwidth of the entire network,
as shown in Figure 3-1.
Also, without forcing some method of checking at an upper layer, all devices
in the broadcast domain would be able to communicate via Layer 2. This severely
limits the amount of security you can enforce on the network.

Before the introduction of switches and VLANs, internetworks were divided into
multiple broadcast domains by connectivity through a router. Because routers
do not forward broadcasts, each interface is in a different broadcast domain.
Figure 3-2 shows an
internetwork broken into multiple broadcast domains using routers. Notice that
each segment is an individual IP subnet and that regardless of a workstation's
function, its subnet is defined by its physical location.

A VLAN is a logical broadcast domain that can span multiple physical LAN
segments. A VLAN can be designed to provide independent broadcast domains for
stations logically segmented by functions, project teams, or applications,
without regard to the users' physical location. Each switch port can be
assigned to only one VLAN. Ports in a VLAN share broadcasts. Ports that do not
belong to the same VLAN do not share broadcasts. This control of broadcast
improves the internetwork's overall performance.

Notice that now all users in a given group (department in this example) are
defined to be in the same VLAN. Any user in this VLAN receives a broadcast from
any other member of the VLAN, while users of other VLANs do not receive these
broadcasts. Each of the users in a given VLAN is also in the same IP subnet.
This is different from the broadcast domains of Figure
3-2, in which the physical location of the device determines the broadcast
domain. However, there is a similarity with a legacy, non-VLAN internetwork
because a router is still needed to get from one broadcast domain to another,
even if a VLAN is used to define the broadcast domain instead of a physical
location. Therefore, the creation of VLANs does not eliminate the need for routers.

Within the switched internetwork, VLANs provide segmentation and
organizational flexibility. Using VLAN technology, you can group switch ports
and their connected users into logically defined communities of interest, such
as coworkers in the same department, a cross-functional product team, or diverse
user groups sharing the same network application.

A VLAN can exist on a single switch or span multiple switches. VLANs can
include stations in a single building or multiple-building infrastructures. In
rare and special cases, they can even connect across wide-area networks
(WANs).

VLAN Concepts

As mentioned previously, prior to the VLAN, the only way to control broadcast
traffic was through segmentation using routers. VLANs are an extension of a
switched and routed internetwork. By having the ability to place segments
(ports) in individual broadcast domains, you can control where a given broadcast
is forwarded. The sections that follow expand on these concepts. Basically, each
switch acts independently of other switches in the network. With the concept of
VLANs, a level of interdependence is built into the switches themselves. The
characteristics of a typical VLAN setup are as follows:

Each logical VLAN is like a separate physical bridge.

VLANs can span multiple switches.

Trunk links carry traffic for multiple VLANs.

With VLANs, each switch can distinguish traffic from different broadcast domains.
Each forwarding decision is based on which VLAN the packet came from; therefore,
each VLAN acts like an individual bridge within a switch. To bridge/switch between
switches, you must either connect each VLAN independently (that is, dedicate
a port per VLAN) or have some method of maintaining and forwarding the VLAN
information with the packets. A process called trunking allows this single
connection. Figure 3-4
illustrates a typical VLAN setup in which multiple VLANs span two switches interconnected
by a Fast Ethernet trunk.

How VLANs Operate

A Catalyst switch operates in your network like a traditional bridge. Each
VLAN configured on the switch implements address learning, forwarding/filtering
decisions, and loop avoidance mechanisms as if it were a separate physical
bridge. This VLAN might include several ports, possibly on multiple
switches.

Internally, the Catalyst switch implements VLANs by restricting data
forwarding to destination ports in the same VLAN as originating ports. In other
words, when a frame arrives on a switch port, the Catalyst must retransmit the
frame only to a port that belongs to the same VLAN as that of the incoming port.
The implication is that a VLAN operating on a Catalyst switch limits
transmission of unicast, multicast, and broadcast traffic. Flooded traffic
originating from a particular VLAN floods out only other ports belonging to that
VLAN. Each VLAN is an individual broadcast domain because a broadcast in a given
VLAN will never reach any ports in other VLANs.

Normally, a port carries traffic only for the single VLAN to which it belongs.
For a VLAN to span multiple switches on a single connection, a trunk is required
to connect two switches. A trunk carries traffic for all VLANs by identifying
the originating VLAN as the frame is carried between the switches. Figure
3-4 shows a Fast Ethernet trunk carrying multiple VLANs between the two
switches. Most ports on Catalyst switches are capable of being trunk ports.
Any port on a Catalyst 2950 can be a trunk port.

VLAN Membership Modes

VLANs are a Layer 2 implementation in your network's switching topology.
Because they are implemented at the data link layer, they are
protocol-independent. To put a given port (segment) into a VLAN, you must create
a VLAN on the switch and then assign that port membership on the switch. After
you define a port to a given VLAN, broadcast, multicast, and unicast traffic
from that segment will be forwarded by the switches only to ports in the same
VLAN. If you need to communicate between VLANs, you must add a router (or Layer
3 switch) and a Layer 3 protocol to your network.

The ports on a Layer 2 Catalyst switch, such as a 2950, all function as Layer
2 ports. In Cisco IOS Software, a Layer 2 port is known as a
switchport.A switchport can either be a member of a single VLAN
or be configured as a trunk link to carry traffic for multiple VLANs. When a
port is in a single VLAN, the port is called an access port. Access ports
are configured with a VLAN membership mode that determines to which VLAN they
can belong. The membership modes follow:

StaticWhen an administrator assigns a single VLAN to a port,
it is called static assignment. By default, all Layer 2 switchports are
statically assigned to VLAN 1 until an administrator changes this default
configuration.

DynamicThe IOS Catalyst switch supports the dynamic
assignment of a single VLAN to a port by using a VLAN Membership Policy Server
(VMPS). The VMPS must be a Catalyst Operating System switch, such as a Catalyst
5500 or 6500, running the set-based operating system. An IOS-based Catalyst
switch cannot operate as the VMPS. The VMPS contains a database that maps MAC
addresses to VLAN assignment. When a frame arrives on a dynamic port, the switch
queries the VMPS for the VLAN assignment based on the arriving frame's
source MAC address.

A dynamic port can belong to only one VLAN at a time. Multiple hosts can be
active on a dynamic port only if they all belong to the same VLAN. Figure
3-5 demonstrates the static and dynamic VLAN membership modes.

For an access port, the VLAN identity is not known by the sender or receiver
attached to the access port. Frames going into and out of access ports are
standard Ethernet frames, as discussed in Chapter 2, "Configuring Catalyst
Switch Operations." The VLAN identity is used only within the switch to
provide broadcast domain boundaries.